diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json b/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json index 87452351451..f343b610d6b 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json +++ b/assets/queries/ansible/aws/api_gateway_without_waf/metadata.json @@ -1,9 +1,9 @@ { "id": "f5f38943-664b-4acc-ab11-f292fa10ed0b", "queryName": "API Gateway without WAF", - "severity": "MEDIUM", + "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled", + "descriptionText": "API Gateway should have WAF (Web Application Firewall) enabled", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn", "platform": "Ansible", "descriptionID": "8e789062", diff --git a/assets/queries/ansible/aws/authentication_without_mfa/metadata.json b/assets/queries/ansible/aws/authentication_without_mfa/metadata.json index 46d08df5682..eeb7e7e9b3e 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/metadata.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/metadata.json @@ -3,7 +3,7 @@ "queryName": "Authentication Without MFA", "severity": "HIGH", "category": "Access Control", - "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication)", + "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_mfa_device_info_module.html", "platform": "Ansible", "descriptionID": "36040ce0", diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json index f3a3336b5de..7a74e24b33b 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/metadata.json @@ -1,9 +1,9 @@ { "id": "d31cb911-bf5b-4eb6-9fc3-16780c77c7bd", - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true", + "descriptionText": "AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html", "platform": "Ansible", "descriptionID": "1bfc2dfd", diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 38fc58455d2..45d5f284ccf 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -1,11 +1,11 @@ [ { - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 2 }, { - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 62 } diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json index 75ce24abc8e..a909c6446ea 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/metadata.json @@ -1,6 +1,6 @@ { "id": "22c80725-e390-4055-8d14-a872230f6607", - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service", diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json index 5e8a9b52819..05a5d641e4e 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "line": 2 } diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json index ea576b900e5..94e8a8ebb46 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "category": "Observability", - "descriptionText": "CloudTrail Log Files should have validation enabled", + "descriptionText": "CloudTrail log file validation should be enabled to determine whether a log file has not been tampered", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html", "platform": "Ansible", "descriptionID": "04302074", diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json deleted file mode 100644 index 7643d7313ae..00000000000 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "CloudTrail Log Files Not Encrypted With CMK", - "severity": "LOW", - "line": 2 - } -] diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json similarity index 61% rename from assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json rename to assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index df75d830625..278507aa982 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -1,9 +1,9 @@ { "id": "f5587077-3f57-4370-9b4e-4eb5b1bac85b", - "queryName": "CloudTrail Log Files Not Encrypted With CMK", + "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "category": "Encryption", - "descriptionText": "CloudTrail Log Files should be encrypted with Key Management Service (KMS)", + "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html", "platform": "Ansible", "descriptionID": "d3b81fde", diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego similarity index 100% rename from assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego rename to assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative.yaml b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative.yaml similarity index 100% rename from assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative.yaml rename to assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative.yaml diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive.yaml b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive.yaml similarity index 100% rename from assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive.yaml rename to assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive.yaml diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json new file mode 100644 index 00000000000..f8ba4b8005d --- /dev/null +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "CloudTrail Log Files Not Encrypted With KMS", + "severity": "LOW", + "line": 2 + } +] diff --git a/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json index f0b85d9ccae..b20d3cfa30b 100644 --- a/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/ansible/aws/db_security_group_with_public_scope/metadata.json @@ -3,7 +3,7 @@ "queryName": "DB Security Group With Public Scope", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).", + "descriptionText": "The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html", "platform": "Ansible", "descriptionID": "47a14ee4", diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json index 2471e5cabb9..742fa569d4f 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/metadata.json @@ -1,6 +1,6 @@ { "id": "7db727c1-1720-468e-b80e-06697f71e09e", - "queryName": "ECS Service Admin Role is Present", + "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "category": "Access Control", "descriptionText": "ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role", diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 550533d248b..0b9e1c22307 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "ECS Service Admin Role is Present", + "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 9 } diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json index cae7f8c3113..c987346effd 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/metadata.json @@ -1,9 +1,9 @@ { "id": "c2f15af3-66a0-4176-a56e-e4711e502e5c", "queryName": "Hardcoded AWS Access Key", - "severity": "LOW", + "severity": "MEDIUM", "category": "Secret Management", - "descriptionText": "Check if the user data in the EC2 instance has the access key hardcoded", + "descriptionText": "AWS Access Key should not be hardcoded", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_instance_module.html", "platform": "Ansible", "descriptionID": "d764256e", diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json index 95a7a14075b..0f3cacd18a6 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "Hardcoded AWS Access Key", - "severity": "LOW", + "severity": "MEDIUM", "line": 7 } ] diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 65eb2869d65..22297c51666 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -3,7 +3,7 @@ "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "MEDIUM", "category": "Secret Management", - "descriptionText": "Lambda access key should not be in plaintext.", + "descriptionText": "Lambda access/secret keys should not be hardcoded", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html", "platform": "Ansible", "descriptionID": "fc78f6de", diff --git a/assets/queries/ansible/aws/iam_password_without_number/metadata.json b/assets/queries/ansible/aws/iam_password_without_number/metadata.json index 3b10f9873c8..88eda94101c 100644 --- a/assets/queries/ansible/aws/iam_password_without_number/metadata.json +++ b/assets/queries/ansible/aws/iam_password_without_number/metadata.json @@ -3,7 +3,7 @@ "queryName": "IAM Password Without Number", "severity": "MEDIUM", "category": "Best Practices", - "descriptionText": "Check if IAM account password has at least one number", + "descriptionText": "IAM user resource Login Profile Password should have at least one number", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html", "platform": "Ansible", "descriptionID": "c4ca592e", diff --git a/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json index 9431a83d9c9..3761a91f84e 100644 --- a/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_logging_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "S3 bucket should have debug_botocore_endpoint_logs", + "descriptionText": "S3 bucket should have 'debug_botocore_endpoint_logs' defined", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs", "platform": "Ansible", "descriptionID": "2b508aee", diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json index 27c86cc29bb..e31ba266268 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/metadata.json @@ -1,6 +1,6 @@ { "id": "7af1c447-c014-4f05-bd8b-ebe3a15734ac", - "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible", + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "category": "Networking and Firewall", "descriptionText": "Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.", diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 5cd598caa84..a3eb82d8f96 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -1,26 +1,26 @@ [ { - "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible", + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 9 }, { - "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible", + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 23 }, { - "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible", + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 37 }, { - "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible", + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 51 }, { - "queryName": "SQL Analysis Services Port 2383 (TCP) is Publicly Accessible", + "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 65 } diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json index ce474521842..ec4962b8884 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json @@ -1,6 +1,6 @@ { "id": "e1e7b278-2a8b-49bd-a26e-66a7f70b17eb", - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "category": "Encryption", "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)", diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 824d600f4dc..9508951fea5 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -1,21 +1,21 @@ [ { - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 2 }, { - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 16 }, { - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 22 }, { - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 29 } diff --git a/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json b/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json index 164ae63791a..74e8bc6e445 100644 --- a/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/ansible/aws/stack_notifications_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Stack Notifications Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "AWS CloudFormation should have stack notifications enabled", + "descriptionText": "AWS CloudFormation should have stack notifications enabled to be notified when an event occurs", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html#parameter-notification_arns", "platform": "Ansible", "descriptionID": "59f8905d", diff --git a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json index 28e0a15cc36..e73e9196832 100644 --- a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/metadata.json @@ -3,7 +3,7 @@ "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "category": "Encryption", - "descriptionText": "User Data contains an encoded RSA Private Key", + "descriptionText": "User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html", "platform": "Ansible", "descriptionID": "45cb51c3", diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json b/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json index 167b5566ecd..b49c65f969b 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/metadata.json @@ -3,7 +3,7 @@ "queryName": "AKS Network Policy Misconfigured", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Azure Kubernetes Service should have the proper network policy configuration", + "descriptionText": "Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html#parameter-network_profile/network_policy", "platform": "Ansible", "descriptionID": "75bbf826", diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json index 4711265eb4c..6793022e3f1 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/metadata.json @@ -3,7 +3,7 @@ "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association", + "descriptionText": "Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html", "platform": "Ansible", "descriptionID": "7489a85f", diff --git a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json index 16d0a2aa8e5..698ebf500fd 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json +++ b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json @@ -3,7 +3,7 @@ "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The IP range filter should be defined", + "descriptionText": "The IP range filter should be defined to secure the data stored", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html#parameter-ip_range_filter", "platform": "Ansible", "descriptionID": "7cb8bdbe", diff --git a/assets/queries/ansible/azure/public_storage_account/metadata.json b/assets/queries/ansible/azure/public_storage_account/metadata.json index 72581ce0b1f..1b424dc9260 100644 --- a/assets/queries/ansible/azure/public_storage_account/metadata.json +++ b/assets/queries/ansible/azure/public_storage_account/metadata.json @@ -3,7 +3,7 @@ "queryName": "Public Storage Account", "severity": "HIGH", "category": "Access Control", - "descriptionText": "Check if 'network_acls' is open to public.", + "descriptionText": "Storage Account should not be public to grant the principle of least privileges", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls", "platform": "Ansible", "descriptionID": "78d2c5b3", diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json index a6484ac492c..4d06f0a94d8 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -2,8 +2,8 @@ "id": "869e7fb4-30f0-4bdb-b360-ad548f337f2f", "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", - "category": "Encryption", - "descriptionText": "Redis Cache resources should not allow non-SSL connections.", + "category": "Insecure Configurations", + "descriptionText": "Redis Cache resources should not allow non-SSL connections", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html", "platform": "Ansible", "descriptionID": "31e56819", diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/query.rego b/assets/queries/ansible/azure/small_activity_log_retention_period/query.rego index e944e8ac43d..0ed918f02ef 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/query.rego +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/query.rego @@ -39,7 +39,7 @@ CxPolicy[result] { "searchKey": sprintf("name={{%s}}.{{%s}}.retention_policy.days", [task.name, modules[m]]), "issueType": "IncorrectValue", "keyExpectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)", - "keyActualValue": "azure_rm_monitorlogprofile.retention_policy.days is lesser than 365 days or different than 0 (indefinitely)", + "keyActualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)", } } diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json b/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json index 182e1ed038e..2f4174bddbe 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/metadata.json @@ -2,8 +2,8 @@ "id": "3f23c96c-f9f5-488d-9b17-605b8da5842f", "queryName": "Unrestricted SQL Server Access", "severity": "MEDIUM", - "category": "Best Practices", - "descriptionText": "Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'", + "category": "Networking and Firewall", + "descriptionText": "Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html", "platform": "Ansible", "descriptionID": "03235d5d", diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego b/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego index aeba695699d..fdc43f6f740 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/query.rego @@ -21,7 +21,7 @@ CxPolicy[result] { "resourceName": task.name, "searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]), "issueType": "IncorrectValue", - "keyExpectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be lesser than 256", + "keyExpectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", "keyActualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256", } } diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json b/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json index b8c32fe47ea..a68b17e45a3 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/metadata.json @@ -1,8 +1,8 @@ { "id": "be41f891-96b1-4b9d-b74f-b922a918c778", "queryName": "COS Node Image Not Used", - "severity": "HIGH", - "category": "Insecure Configurations", + "severity": "MEDIUM", + "category": "Resource Management", "descriptionText": "The node image should be Container-Optimized OS(COS)", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type", "platform": "Ansible", diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json index 600df868adb..4f65c66860d 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "COS Node Image Not Used", - "severity": "HIGH", + "severity": "MEDIUM", "line": 13 } ] diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json index cff1fa0919f..1f65b5966bd 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "category": "Networking and Firewall", - "descriptionText": "Google Compute Subnetwork should have 'private_ip_google_access' set to yes", + "descriptionText": "Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access", "platform": "Ansible", "descriptionID": "f5dece39", diff --git a/assets/queries/ansible/gcp/high_kms_rotation_period/metadata.json b/assets/queries/ansible/gcp/high_kms_rotation_period/metadata.json index 6ecc1d63dda..034e24e18bd 100644 --- a/assets/queries/ansible/gcp/high_kms_rotation_period/metadata.json +++ b/assets/queries/ansible/gcp/high_kms_rotation_period/metadata.json @@ -3,7 +3,7 @@ "queryName": "High KMS Rotation Period", "severity": "MEDIUM", "category": "Secret Management", - "descriptionText": "KMS rotation period should not surpass 365 days.", + "descriptionText": "KMS rotation period should not surpass 365 days", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html", "platform": "Ansible", "descriptionID": "46702906", diff --git a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json index 3ac4bdeee07..deac7ec96b4 100644 --- a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json +++ b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/metadata.json @@ -3,7 +3,7 @@ "queryName": "Serial Ports Are Enabled For VM Instances", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "Google Compute Engine VM instances should not enable serial ports", + "descriptionText": "Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", "descriptionID": "7f8ab7a4", diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json index 36320038ab5..16f66ee3471 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/metadata.json @@ -3,7 +3,7 @@ "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).", + "descriptionText": "Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html", "platform": "Ansible", "descriptionID": "1b0564ad", diff --git a/assets/queries/ansible/gcp/using_default_service_account/metadata.json b/assets/queries/ansible/gcp/using_default_service_account/metadata.json index 4dc535da3a5..3587520b9da 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/metadata.json +++ b/assets/queries/ansible/gcp/using_default_service_account/metadata.json @@ -2,7 +2,7 @@ "id": "2775e169-e708-42a9-9305-b58aadd2c4dd", "queryName": "Using Default Service Account", "severity": "MEDIUM", - "category": "Insecure Defaults", + "category": "Insecure Configurations", "descriptionText": "Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html", "platform": "Ansible", diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json index 29a895ab0bc..bda727c8f9c 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined", + "descriptionText": "AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined", "descriptionUrl": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging-and-monitoring.html", "platform": "CloudFormation", "descriptionID": "3254d6d0", diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json index 6a296599107..0bb7e7e4074 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "category": "Observability", - "descriptionText": "CloudTrail log file validation should be enabled", + "descriptionText": "CloudTrail log file validation should be enabled to determine whether a log file has not been tampered", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-enablelogfilevalidation", "platform": "CloudFormation", "descriptionID": "66ab1b20", diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json similarity index 76% rename from assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json rename to assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index 36d5748ebfe..362fa6524af 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -1,9 +1,9 @@ { "id": "050a9ba8-d1cb-4c61-a5e8-8805a70d3b85", - "queryName": "CloudTrail Log Files Not Encrypted With CMK", + "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "category": "Encryption", - "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS", + "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid", "platform": "CloudFormation", "descriptionID": "cdc07a23", diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego similarity index 100% rename from assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego rename to assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative1.yaml b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative1.yaml similarity index 100% rename from assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative1.yaml rename to assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative1.yaml diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative2.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative2.json similarity index 100% rename from assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative2.json rename to assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative2.json diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive1.yaml b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive1.yaml similarity index 100% rename from assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive1.yaml rename to assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive1.yaml diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive2.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive2.json similarity index 100% rename from assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive2.json rename to assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive2.json diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json similarity index 56% rename from assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json rename to assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 520df01994a..d47abd6e6bd 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "CloudTrail Log Files Not Encrypted With CMK", + "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 62, "fileName": "positive1.yaml" }, { - "queryName": "CloudTrail Log Files Not Encrypted With CMK", + "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 53, "fileName": "positive2.json" diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json index 473d9c7d436..977cf772a05 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/metadata.json @@ -3,7 +3,7 @@ "queryName": "CodeBuild Not Encrypted", "severity": "MEDIUM", "category": "Encryption", - "descriptionText": "CodeBuild Should have EncryptionKey defined", + "descriptionText": "CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html", "platform": "CloudFormation", "descriptionID": "3e1306b1", diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json index 9718e868da4..a6ceb3c3716 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/metadata.json @@ -1,9 +1,9 @@ { "id": "9564406d-e761-4e61-b8d7-5926e3ab8e79", - "queryName": "DB Security Group with Public Scope", + "queryName": "DB Security Group With Public Scope", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).", + "descriptionText": "The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html", "platform": "CloudFormation", "descriptionID": "3ddca0cc", diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 5d00b8d667b..e2decffae02 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -3,28 +3,28 @@ "severity": "HIGH", "line": 6, "fileName": "positive1.yaml", - "queryName": "DB Security Group with Public Scope" + "queryName": "DB Security Group With Public Scope" }, { - "queryName": "DB Security Group with Public Scope", + "queryName": "DB Security Group With Public Scope", "severity": "HIGH", "line": 6, "fileName": "positive3.yaml" }, { - "queryName": "DB Security Group with Public Scope", + "queryName": "DB Security Group With Public Scope", "severity": "HIGH", "line": 19, "fileName": "positive2.yaml" }, { - "queryName": "DB Security Group with Public Scope", + "queryName": "DB Security Group With Public Scope", "severity": "HIGH", "line": 6, "fileName": "positive4.json" }, { - "queryName": "DB Security Group with Public Scope", + "queryName": "DB Security Group With Public Scope", "severity": "HIGH", "line": 24, "fileName": "positive5.json" @@ -32,7 +32,7 @@ { "line": 15, "fileName": "positive6.json", - "queryName": "DB Security Group with Public Scope", + "queryName": "DB Security Group With Public Scope", "severity": "HIGH" } ] diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json index e85baf4af18..9774521d2d9 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -3,7 +3,7 @@ "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "MEDIUM", "category": "Secret Management", - "descriptionText": "Lambda hardcoded AWS access/secret keys", + "descriptionText": "Lambda access/secret keys should not be hardcoded", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment", "platform": "CloudFormation", "descriptionID": "ff065e3b", diff --git a/assets/queries/cloudFormation/aws/s3_bucket_disabled_cloudtrail_logging/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_disabled_cloudtrail_logging/metadata.json index 824907cd06a..376e10888f0 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_disabled_cloudtrail_logging/metadata.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_disabled_cloudtrail_logging/metadata.json @@ -3,7 +3,7 @@ "queryName": "S3 Bucket CloudTrail Logging Disabled", "severity": "HIGH", "category": "Observability", - "descriptionText": "Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail", + "descriptionText": "Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig", "platform": "CloudFormation", "descriptionID": "00649261", diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json index a0a4d802b0e..445a1678413 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/metadata.json @@ -1,6 +1,6 @@ { "id": "12726829-93ed-4d51-9cbe-13423f4299e1", - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "category": "Encryption", "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)", diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json index e767d0536c5..a684b5ddf0f 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 4, "fileName": "positive1.yaml" }, { - "queryName": "SQS with SSE disabled", + "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 5, "fileName": "positive2.json" diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json b/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json index 357c1b79a2d..7a4c21f28b7 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Stack Notifications Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "Enable AWS CloudFormation Stack Notifications", + "descriptionText": "AWS CloudFormation should have stack notifications enabled to be notified when an event occurs", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html", "platform": "CloudFormation", "descriptionID": "1e12925e", diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json index 05d54ae1b6f..17afeb65119 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/metadata.json @@ -3,7 +3,7 @@ "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "category": "Encryption", - "descriptionText": "User Data Base64 contains an encoded RSA Private Key", + "descriptionText": "User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html", "platform": "CloudFormation", "descriptionID": "b8212287", diff --git a/assets/queries/googleDeploymentManager/cos_node_image_not_used/metadata.json b/assets/queries/googleDeploymentManager/cos_node_image_not_used/metadata.json index a6c485381f7..096639bccc1 100644 --- a/assets/queries/googleDeploymentManager/cos_node_image_not_used/metadata.json +++ b/assets/queries/googleDeploymentManager/cos_node_image_not_used/metadata.json @@ -1,7 +1,7 @@ { "id": "dbe058d7-b82e-430b-8426-992b2e4677e7", "queryName": "COS Node Image Not Used", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Insecure Configurations", "descriptionText": "The node image should be Container-Optimized OS(COS)", "descriptionUrl": "https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters.nodePools", diff --git a/assets/queries/googleDeploymentManager/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/cos_node_image_not_used/test/positive_expected_result.json index e19b373f0a4..0e6d3563e62 100644 --- a/assets/queries/googleDeploymentManager/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/cos_node_image_not_used/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "COS Node Image Not Used", - "severity": "HIGH", + "severity": "MEDIUM", "line": 7, "filename": "positive1.yaml" } diff --git a/assets/queries/googleDeploymentManager/ssh_access_is_not_restricted/metadata.json b/assets/queries/googleDeploymentManager/ssh_access_is_not_restricted/metadata.json index 732c21161a4..f235bf2c023 100644 --- a/assets/queries/googleDeploymentManager/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/googleDeploymentManager/ssh_access_is_not_restricted/metadata.json @@ -3,7 +3,7 @@ "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)", + "descriptionText": "Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges", "descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/firewalls", "platform": "GoogleDeploymentManager", "descriptionID": "10629ac9", diff --git a/assets/queries/terraform/aws/authentication_without_mfa/metadata.json b/assets/queries/terraform/aws/authentication_without_mfa/metadata.json index b054889f416..5f2dd39fd1b 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/metadata.json +++ b/assets/queries/terraform/aws/authentication_without_mfa/metadata.json @@ -3,7 +3,7 @@ "queryName": "Authentication Without MFA", "severity": "HIGH", "category": "Access Control", - "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication)", + "descriptionText": "Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy", "platform": "Terraform", "descriptionID": "0db1a4b2", diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json index 2f3a982892f..6366210def9 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/metadata.json @@ -1,6 +1,6 @@ { "id": "9f40c07e-699e-4410-8856-3ba0f2e3a2dd", - "queryName": "CA certificate Identifier is outdated", + "queryName": "CA Certificate Identifier Is Outdated", "severity": "HIGH", "category": "Encryption", "descriptionText": "The CA certificate Identifier must be 'rds-ca-2019'.", diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index b0c0e2b1cfc..3eee129ab8b 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { - "queryName": "CA certificate Identifier is outdated", + "queryName": "CA Certificate Identifier Is Outdated", "severity": "HIGH", "line": 12, "fileName": "positive1.tf" }, { - "queryName": "CA certificate Identifier is outdated", + "queryName": "CA Certificate Identifier Is Outdated", "severity": "HIGH", "line": 11, "fileName": "positive2.tf" diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json index f6ad7a6297a..8d5c13c19da 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/metadata.json @@ -1,9 +1,9 @@ { "id": "94690d79-b3b0-43de-b656-84ebef5753e5", - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging_config' must be defined", + "descriptionText": "AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution", "platform": "Terraform", "descriptionID": "9cf96455", diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 330b86be310..0e8947653f8 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Cloudfront Logging Disabled", + "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 1 } diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json index ad395639ce3..e24a1dee196 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/metadata.json @@ -1,6 +1,6 @@ { "id": "1419b4c6-6d5c-4534-9cf6-6a5266085333", - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service", diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json index 79cef031f04..23fdae79ae5 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Cloudfront Without WAF", + "queryName": "CloudFront Without WAF", "severity": "LOW", "line": 15 } diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json index 8b9902d4c99..2c3aa75b918 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "category": "Observability", - "descriptionText": "CloudTrail log file validation should be enabled", + "descriptionText": "CloudTrail log file validation should be enabled to determine whether a log file has not been tampered", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation", "platform": "Terraform", "descriptionID": "1d528dfd", diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json deleted file mode 100644 index 41946912991..00000000000 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "CloudTrail Log Files Not Encrypted With CMK", - "severity": "LOW", - "line": 1 - } -] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json similarity index 79% rename from assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json rename to assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json index 725655d8afc..316dccfb8b4 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/metadata.json @@ -1,8 +1,8 @@ { "id": "5d9e3164-9265-470c-9a10-57ae454ac0c7", - "queryName": "CloudTrail Log Files Not Encrypted With CMK", + "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "category": "Encryption", + "category": "Observability", "descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id", "platform": "Terraform", diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego similarity index 100% rename from assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/query.rego rename to assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/query.rego diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative.tf b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative.tf similarity index 100% rename from assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/negative.tf rename to assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/negative.tf diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive.tf b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive.tf similarity index 100% rename from assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_cmk/test/positive.tf rename to assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive.tf diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json new file mode 100644 index 00000000000..1b50e20f3e9 --- /dev/null +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "CloudTrail Log Files Not Encrypted With KMS", + "severity": "LOW", + "line": 1 + } +] diff --git a/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json b/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json index 3350c0148d6..ab5ac78123a 100644 --- a/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json +++ b/assets/queries/terraform/aws/db_security_group_with_public_scope/metadata.json @@ -3,7 +3,7 @@ "queryName": "DB Security Group With Public Scope", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).", + "descriptionText": "The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group", "platform": "Terraform", "descriptionID": "97108586", diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json index be7d83185f3..e8f009c9e5d 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/metadata.json @@ -1,6 +1,6 @@ { "id": "3206240f-2e87-4e58-8d24-3e19e7c83d7c", - "queryName": "ECS Service Admin Role is Present", + "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "category": "Access Control", "descriptionText": "ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role", diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 1412408c957..c472ceefe5b 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "ECS Service Admin Role is Present", + "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 7 } diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json index c2d53971314..ebd1bc076fd 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/metadata.json @@ -1,6 +1,6 @@ { "id": "e979fcbc-df6c-422d-9458-c33d65e71c45", - "queryName": "Elasticsearch Without Slow Logs", + "queryName": "ElasticSearch Without Slow Logs", "severity": "MEDIUM", "category": "Observability", "descriptionText": "Ensure that AWS Elasticsearch enables support for slow logs", diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index eac91c6a3aa..17e9a0e9089 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Elasticsearch Without Slow Logs", + "queryName": "ElasticSearch Without Slow Logs", "severity": "MEDIUM", "line": 4, "filename": "positive1.tf" diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json index b8aedc84212..e959064e9bd 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/metadata.json @@ -1,9 +1,9 @@ { "id": "d7b9d850-3e06-4a75-852f-c46c2e92240b", "queryName": "Hardcoded AWS Access Key", - "severity": "LOW", + "severity": "MEDIUM", "category": "Secret Management", - "descriptionText": "Hard-coded AWS access key / secret key exists in EC2 user data", + "descriptionText": "AWS Access Key should not be hardcoded", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance", "platform": "Terraform", "descriptionID": "9e8cbdfb", diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json index d70245b34ee..6c3995f927d 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { "queryName": "Hardcoded AWS Access Key", - "severity": "LOW", + "severity": "MEDIUM", "line": 5, "fileName": "positive2.tf" }, { "queryName": "Hardcoded AWS Access Key", - "severity": "LOW", + "severity": "MEDIUM", "line": 13, "fileName": "positive1.tf" } diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json index 1f0970df018..465154f3cb5 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/metadata.json @@ -3,7 +3,7 @@ "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "MEDIUM", "category": "Secret Management", - "descriptionText": "Lambda hardcoded AWS access/secret keys", + "descriptionText": "Lambda access/secret keys should not be hardcoded", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function", "platform": "Terraform", "descriptionID": "63935af4", diff --git a/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json b/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json index 16eda82ce11..2e069be6af4 100644 --- a/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json +++ b/assets/queries/terraform/aws/stack_notifications_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Stack Notifications Disabled", "severity": "MEDIUM", "category": "Observability", - "descriptionText": "Enable AWS CloudFormation Stack Notifications", + "descriptionText": "AWS CloudFormation should have stack notifications enabled to be notified when an event occurs", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack", "platform": "Terraform", "descriptionID": "f9826281", diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json index 31584696f73..28d82ad25fc 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/metadata.json @@ -3,7 +3,7 @@ "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "category": "Encryption", - "descriptionText": "User Data Base64 contains an encoded RSA Private Key", + "descriptionText": "User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64", "platform": "Terraform", "descriptionID": "e3b3b5c1", diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json index df9d409a600..73342e577bd 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/metadata.json @@ -3,7 +3,7 @@ "queryName": "AKS Network Policy Misconfigured", "severity": "MEDIUM", "category": "Insecure Configurations", - "descriptionText": "Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.", + "descriptionText": "Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster", "platform": "Terraform", "descriptionID": "7708dadb", diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json index ca0520240b9..b8fffdd0897 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/metadata.json @@ -3,7 +3,7 @@ "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "category": "Insecure Configurations", - "descriptionText": "Azurerm Container Registry Must Contain Associated Locks ", + "descriptionText": "Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry", "platform": "Terraform", "descriptionID": "adb235b6", diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json index 52ba3e6878d..3f49a626b9a 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/metadata.json @@ -3,7 +3,7 @@ "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The Ip Range Must Contain Ips", + "descriptionText": "The IP range filter should be defined to secure the data stored", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#ip_range_filter", "platform": "Terraform", "descriptionID": "fd34a2d6", diff --git a/assets/queries/terraform/azure/public_storage_account/metadata.json b/assets/queries/terraform/azure/public_storage_account/metadata.json index bbbf21d35c7..ebfef6da0f2 100644 --- a/assets/queries/terraform/azure/public_storage_account/metadata.json +++ b/assets/queries/terraform/azure/public_storage_account/metadata.json @@ -3,7 +3,7 @@ "queryName": "Public Storage Account", "severity": "HIGH", "category": "Access Control", - "descriptionText": "Storage Account should not be public", + "descriptionText": "Storage Account should not be public to grant the principle of least privileges", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account", "platform": "Terraform", "descriptionID": "88948514", diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json index 6465d35ac7e..21a2f58b413 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/metadata.json @@ -2,8 +2,8 @@ "id": "e29a75e6-aba3-4896-b42d-b87818c16b58", "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", - "category": "Encryption", - "descriptionText": "Redis Cache resources should not allow non-SSL connections.", + "category": "Insecure Configurations", + "descriptionText": "Redis Cache resources should not allow non-SSL connections", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache", "platform": "Terraform", "descriptionID": "b7160c8c", diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json index e79e1c69dd0..59f6ec0a4bc 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role Definition should not allow custom role creation", + "descriptionText": "Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions", "platform": "Terraform", "descriptionID": "a96dc1b9", diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego b/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego index 910c1b3ef1a..3da371daaa1 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/query.rego @@ -59,7 +59,7 @@ CxPolicy[result] { "searchKey": sprintf("azurerm_monitor_log_profile[%s].retention_policy.days", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.days' is greater than or equal to 365 days or 0 (indefinitely)", [name]), - "keyActualValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.days' is lesser than 365 days or different than 0 (indefinitely)", [name]), + "keyActualValue": sprintf("'azurerm_monitor_log_profile[%s].retention_policy.days' is less than 365 days or different than 0 (indefinitely)", [name]), "searchLine": common_lib.build_search_line(["resource","azurerm_monitor_log_profile",name, "retention_policy","days"], []), "remediation": json.marshal({ "before": sprintf("%d", [retentionPolicy.days]), diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json index 01e7f31880a..e1c2122d678 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/metadata.json @@ -2,8 +2,8 @@ "id": "d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28", "queryName": "Unrestricted SQL Server Access", "severity": "MEDIUM", - "category": "Best Practices", - "descriptionText": "Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'", + "category": "Networking and Firewall", + "descriptionText": "Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule", "platform": "Terraform", "descriptionID": "837de8dd", diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego b/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego index 27ee37e4aad..5e999e97699 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("azurerm_sql_firewall_rule[%s].start_ip_address", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'azurerm_sql_firewall_rule[%s].start_ip_address' The difference between the value of the 'end_ip_address' and of 'start_ip_address' is lesser than 256", [name]), + "keyExpectedValue": sprintf("'azurerm_sql_firewall_rule[%s].start_ip_address' The difference between the value of the 'end_ip_address' and of 'start_ip_address' is less than 256", [name]), "keyActualValue": sprintf("'azurerm_sql_firewall_rule[%s].start_ip_address' The difference between the value of the 'end_ip_address' and of 'start_ip_address' is greater than or equal to 256", [name]), } } diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json b/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json index 43385f422fc..cfeef39e3b0 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/metadata.json @@ -1,7 +1,7 @@ { "id": "8a893e46-e267-485a-8690-51f39951de58", "queryName": "COS Node Image Not Used", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Insecure Configurations", "descriptionText": "The node image should be Container-Optimized OS(COS)", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#node_config", diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json index c89246a4819..46d0651f807 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "COS Node Image Not Used", - "severity": "HIGH", + "severity": "MEDIUM", "line": 16 } ] diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json index a39c0a415c2..4649345f003 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/metadata.json @@ -3,7 +3,7 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "category": "Networking and Firewall", - "descriptionText": "Google Compute Subnetwork should have 'private_ip_google_access' set to true", + "descriptionText": "Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ip_google_access", "platform": "Terraform", "descriptionID": "87e8a4f7", diff --git a/assets/queries/terraform/gcp/high_kms_rotation_period/metadata.json b/assets/queries/terraform/gcp/high_kms_rotation_period/metadata.json index 10bb3239794..3b2fc3b4032 100644 --- a/assets/queries/terraform/gcp/high_kms_rotation_period/metadata.json +++ b/assets/queries/terraform/gcp/high_kms_rotation_period/metadata.json @@ -3,7 +3,7 @@ "queryName": "High KMS Rotation Period", "severity": "MEDIUM", "category": "Secret Management", - "descriptionText": "KMS Rotation Period should be greater than 365 days.", + "descriptionText": "KMS rotation period should not surpass 365 days", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key", "platform": "Terraform", "descriptionID": "2ce06fd2", diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json index 5c715023068..992fbc8ed95 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/metadata.json @@ -3,7 +3,7 @@ "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)", + "descriptionText": "Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall", "platform": "Terraform", "descriptionID": "c0e4fb6f", diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json index 286a60eb102..5491bd6106e 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/metadata.json @@ -2,8 +2,8 @@ "id": "97fa667a-d05b-4f16-9071-58b939f34751", "queryName": "Serial Ports Are Enabled For VM Instances", "severity": "MEDIUM", - "category": "Networking and Firewall", - "descriptionText": "VM instance should not enable serial ports", + "category": "Insecure Configurations", + "descriptionText": "Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance", "platform": "Terraform", "descriptionID": "2967cde6",